Tracking the most serious card hack yet

By Nicole Perlroth / New York Times News Service

SAN FRANCISCO — There are two tracks to finding the identity of a company that has been hit by cybercriminals. Both of them involve going backward.

Over the past few days, thousands of fresh credit and debit card numbers have surfaced on so-called carding sites, which are websites where stolen credit card data is sold. On those sites, Eastern European hackers are selling the stolen account information of people in cities as distant as Mission Viejo, California, and Hanover, New Hampshire. They are charging as much as $50 per card.

Bank employees, fraud detectives at computer security companies and law enforcement officials are tracing the path taken by the stolen cards, tracking the source of what appears to be the latest in a series of major data breaches that the Secret Service and the Department of Homeland Security believe has affected more than 1,000 U.S. retailers.

So far, all roads point back to Home Depot. And if the evidence uncovered so far proves to be valid, the hack could top the record-setting breach of Target’s network in December.

Investigators are searching for what they call “a common point of purchase” among the cards.

Bank employees are able to identify stolen cards simply by examining the first six digits of the card, which are known as the bank identification number. They are buying back card numbers and cross-referencing the transactions of those cards in search of one common retailer.

Fraud detectives, meanwhile, who do not have access to transaction data, are able to exploit a recent innovation in the underground. In the past few years, carding sites have been selling the city, state and ZIP code of the store from which each card was stolen in addition to the account number and expiration date, said Ron Sadowski, the director of technology solutions at RSA, the security division of EMC.

2,200 stores may be affected

Hackers can charge a higher price for that location data because it allows criminals and counterfeiters to fool fraud-detection controls, which often flag purchases from far-flung places, Sadowski said. Investigators will try to match those ZIP codes to a list of store locations for a particular retailer.

On Wednesday, Brian Krebs, the security blogger who first reported the potential breach of Home Depot, said there was a 99.4 percent overlap between ZIP codes listed in a collection of stolen account numbers on an Eastern European carding site, called Rescator, and Home Depot’s store locations.

Krebs said that out of 1,822 ZIP codes listed in the stolen card data on the Rescator carding site, only 10 did not correspond to a Home Depot store location.

That means the breach could affect most of the retailer’s 2,200 stores, which is about 400 more than the Target breach.

Krebs, citing bank sources, said fraudulent activity indicated that the breach on Home Depot began as early as late April. If that is confirmed, criminals would have had unfettered access to Home Depot’s payment systems for some four months. By comparison, Target’s breach was detected after three weeks.

Home Depot, based in Atlanta, has not confirmed that it was the victim of a cyberattack, only that it was investigating “unusual activity.”

Paula Drake, a spokeswoman for Home Depot, said the company’s forensics and security teams “have been working around the clock since we first became aware of a potential breach Tuesday morning.”

Drake said Home Depot had engaged Symantec and FishNet Security, two cybersecurity firms, to look into a possible breach.

If a breach is confirmed, Drake reminded customers that they would not be responsible for fraudulent charges and said Home Depot would offer free identity-protection services, such as free credit monitoring.

Retailers are not the only businesses being targeted by hackers. Last week, JPMorgan Chase was the victim of a sophisticated breach that security experts say has affected as many as five financial institutions. The identity of the other institutions is still unclear.

Banks face “thousands” of attempted attacks on their computer systems every day, though the majority of incidents remain unreported, said Avivah Litan, a cybersecurity expert at Gartner. “There are lots of bad guys out there, continually probing bank networks, trying to get in,” Litan said.

The perpetrators of the attacks range from financial hackers, who are typically based in Eastern Europe and Russia, to “hactivist” groups such as Anonymous, who are trying to make social and political statements, she said. Countries such as China also engage in cyberattacks in an attempt to steal intellectual property.

“Underground criminals are going after all manner of businesses, large and small, that they think are vulnerable,” Sadowski said. “But the good news is there is more information than ever on how criminals are trying to perpetrate these attacks.”

— The Associated Press contributed to this report.